Andaira Technology

 

C/C++ Secure Coding 


Certificación: N/A 

Acreditación: None 

Duración: 2 días 

Idioma del material: Inglés 

Formato: Presencial 

Credits: N/A

Introducción:

This course explains in details the mechanisms underlying typical C/C++ security relevant programming bugs – the common security vulnerabilities. The root causes of the problems are explained through a number of easy-to-understand source code examples, which at the same time make clear how to find and correct these problems in practice. The real strength of the course lays in numerous hands-on exercises, which help the participants understand how easy it is to exploit these vulnerabilities by the attackers.

The course also gives an overview of practical protection methods that can be applied at different levels (hardware components, the operating system, programming languages, the compiler, the source code or in production) to prevent the occurrence of the various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Through exercises specially tailored to these mitigation techniques participants can learn how simple – and moreover cheap – it is to get rid of various security problems.

Audiencia:

C/C++ developers, software architects and testers

Objetivos:

Individuals certified at this level will have demonstrated:

  • Understand basic concepts of security, IT security and secure coding
  • Realize the severe consequences of non-secure buffer handling
  • Understand the architectural protection techniques and their weaknesses
  • Learn about typical coding mistakes and how to avoid them
  • Be informed about recent vulnerabilities in various platforms, frameworks and libraries
  • Get sources and further reading on secure coding practices

Prerrequisitos:

None

Material del curso:

You will receive the following as part of this course:

  • A participant handbook with reference materials
  • Virtual machine with the exercises (to be distributed by the instructor on a USB drive)

Examen:

There are no exams associated with this course

Requisitos técnicos:

A preinstalled exercise environment in the form of desktop virtual machine will be distributed on USB sticks for the participants at the start of the course by the instructor.

Hardware and software specifications for the used host PCs are:

  • CPU equivalent to Core i5 with virtualization technology is recommended, minimum is Core i3 (or equivalent laptop processors)
  • 4GB is recommended, minimum is 2GB
  • At least 20 GB free space on the HDD.
  • Display resolution minimum 1024×768 (the larger the better)
  • Keyboard, mouse: any can be used as long as participants are familiar with them.
  • VMware Player minimal version is 3.2, preferred is 5.0.4.

Temario:

IT security and secure coding

  • Nature of security
  • IT security related terms
  • Definition of risk
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cyber crime
  • Classification of security flaws

Security relevant C/C++ programming bugs and flaws

  • Exploitable security flaws
  • Protection principles
  • x86 machine code, memory layout, stack operations

Buffer overflow

  • Buffer overflow
  • Stack overflow
  • Protection against stack overflow
  • Stack smashing protection
  • Address Space Layout Randomization (ASLR)
  • Non executable memory areas – the NX bit
  • Return-to-libc attack – Circumventing the NX bit
  • Return oriented programming (ROP)
  • Heap overflow

Common coding errors and vulnerabilities

  • Input validation
  • Improper use of security features
  • Improper error and exception handling
  • Time and state problems
  • Code quality problems

Advices and principles

  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder

Knowledge sources

  • Secure coding sources – a starter kit
  • Vulnerability databases